Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

How OpenShift cert-manager simplifies cluster certificates

October 25, 2023
Chandler Wilkerson
Related topics:
Operators
Related products:
Red Hat OpenShift

Share:

    This short article will demonstrate how to use the cert-manager operator to shift a self-signed CA into the Red Hat OpenShift cluster, allowing the operator take care of the overhead of requesting and signing your certificates for you so you can use the same CA no matter how many times you reinstall your cluster.

    If you have a workflow much like mine, you may find yourself reinstalling your OpenShift cluster often in order to test new configurations, swap between different versions, and sometimes just to test that a series of steps you are documenting truly work on a pristine cluster. When doing so, it is a good idea to replace the cluster's Ingress TLS certificates with one from a known CA, even if that known CA is your own self-signed certificate. It sure beats wasting time with your browser agreeing that yet another new TLS certificate from an "unknown certificate authority" is actually okay, a process that typically happens twice if you use the UI, one to reach the login screen, and one to authenticate via the oauth system.

    You could follow the instructions in the documentation, Replacing the default ingress certificate, generate your CA, create a CSR for the appropriate wildcard domain, and sign it. You may even choose to automate the process after going through the manual version once to understand the workflow. But with a little more effort, you can future safe your certificate signing process to handle any TLS needs you might run into in the future.

    Introducing cert-manager

    The cert-manager operator for OpenShift handles the lifecycle management portion of your TLS certificates, whether for the cluster's ingress operator (as I will describe here) or for the various encryption needs of your containerized applications. Documentation for the cert-manager operator can be found alongside the certificates page previously mentioned. The cert-manager operator has capabilities far beyond simple self-signed TLS certificates, allowing integration with external certificate authorities like [Let's Encrypt](https://letsencrypt.org/) and others. So taking the time to learn it from this basic example could pay off in the future.

    In my case, I will stick with the self-signed CA because I use a private domain, example.com, for illustration purposes in my blogs, and external CAs cannot sign requests for private domains.

    Getting started

    The first step is to generate a self-signed certificate for use as your CA. One of the easiest ways to create a CA is to use the CFSSL utility from Cloudflare. You can download binaries from the Git repository's Releases page, or build your own from source. Once you have the binary, create a JSON file like the following to configure some basic information for your CA:

    {
      "CN": "Kubernetes",
      "key": {
        "algo": "rsa",
        "size": 2048
      },
      "names": [
        {
          "C": "US",
          "L": "Westford",
          "O": "Example",
          "OU": "CA",
          "ST": "Massachusetts"
        }
      ]
    }

    Save that as "ca.json" and run it through cfssl with the following:

    cfssl gencert -initca ca.json | cfssljson -bare ca
    

    You should now have a ca.pem and ca-key.pem. This is your own certificate authority and its secret key. You will need to add this CA to several places to make things go smoothly.

    If Firefox is your browser of choice like mine, these instructions work well. Other browser guides are easy to find with a web search.

    Next, is your cluster's CA bundle. This is relatively easy if this is the only CA you are adding. Create a ConfigMap from the ca.pem file generated above:

    oc create configmap custom-ca \
        --from-file=ca-bundle.crt=ca.pem \
        -n openshift-config
    

    Patch the new ConfigMap in the cluster config:

    oc patch proxy/cluster \
        --type=merge \
        --patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}'
    

    Third, we need to hand the CA and its secret key over to cert-manager, but I've gotten ahead of myself. Let's install cert-manager first.

    Installing cert-manager

    Following the instructions in the OpenShift Documentation, install the official cert-manager operator for Red Hat OpenShift from the OperatorHub. Once installed, it will create two namespaces, cert-manager-operator for the operator itself, and more importantly, cert-manager for its configuration. Now we can add our CA to cert-manager:

    oc -n cert-manager \
        create secret tls ca-root-secret \
        --cert=ca.pem --key=ca-key.pem

    Once that Secret is created, we can create a ClusterIssuer that tells cert-manager how to sign certificates with your CA:

    oc create -f - <<END
    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
      name: ca-issuer
    spec:
      ca:
        secretName: ca-root-secret
    status: {}
    END
    

    The final step is to create a Certificate, a custom resource added by cert-manager:

    oc create -f - <<END
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: ingress-cert
      namespace: openshift-ingress
    spec:
      commonName: kubernetes
      dnsNames:
      - '*.apps.your-cluster.example.com'
      isCA: false
      issuerRef:
        group: cert-manager.io
        kind: ClusterIssuer
        name: ca-issuer
      privateKey:
        algorithm: ECDSA
        size: 256
      secretName: custom-certs-managed
    status: {}
    END
    

    The previous certificate object will tell cert-manager to create a secret called custom-certs-managed under the openshift-ingress namespace. To apply the certificate to the cluster's ingress, thus any *.apps address in the cluster, patch the default IngressController:

    oc --namespace openshift-ingress-operator \
      patch --type=merge ingresscontrollers/default \
      --patch '{"spec":{"defaultCertificate":{"name":"custom-certs-managed"}}}'
    

    At this point, the routers will deploy the new certificate, and once that process is finished, your cluster will be using certificates signed by your own CA, which your browser should already trust.

    Last updated: May 22, 2024

    Related Posts

    • Integrate OpenShift Service Mesh with cert-manager and Vault

    • Secure Kubernetes certificates with cert-manager and Dekorate

    • How to add public Ingress to a PrivateLink ROSA cluster

    • Migrating a namespace-scoped Operator to a cluster-scoped Operator

    Recent Posts

    • AI meets containers: My first step into Podman AI Lab

    • Live migrating VMs with OpenShift Virtualization

    • Storage considerations for OpenShift Virtualization

    • Upgrade from OpenShift Service Mesh 2.6 to 3.0 with Kiali

    • EE Builder with Ansible Automation Platform on OpenShift

    What’s up next?

    Learn efficient certificate management techniques on Red Hat OpenShift using the cert-manager Operator for OpenShift’s multi-architecture support.

    Start the activity
    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue